It turns out there's a method behind the FBI's raids of suspected Anonymous …

Share this story

It turns out there’s a method behind the FBI’s raids of suspected Anonymous members around the country. The bureau is working from a list, provided by PayPal, of the 1,000 internet IP addresses responsible for the most protest traffic during Anonymous’ DDoS attacks against PayPal last December.

FBI agents served 40 search warrants in January on people suspected of hosing down PayPal during ”Operation Payback”—Anonymous’ retaliatory attack against companies who blacklisted WikiLeaks. On July 19, the feds charged the first 14 defendants under the Computer Fraud and Abuse Act, and raided an additional 35 suspects for evidence.

An FBI affidavit first published Tuesday by an NBC affiliate in Dallas lays out how the FBI decided on its targets, and suggests the bureau may have plenty more.

According to the affidavit by FBI agent Chris Thompson, PayPal security officials were in close contact with the bureau beginning on December 6, two days after PayPal froze WikiLeaks’ donation account and the first day it began receiving serious denial-of-service traffic. FBI agents began monitoring Anonymous press releases and Twitter postings about Operation Payback, while PayPal collected traffic logs on a Radware intrusion prevention system installed on its network.

On December 15, the company turned over a USB thumb drive containing the Radware reports, which documented “approximately 1,000 IP addresses that sent malicious network packets to PayPal during the DDoS attacks.” The list represented the “IP addresses that sent the largest number of packets.”

It was easy to distinguish the packets coming from the’ “Low Orbit Ion Cannon”—Anonymous’ fire-and-forget DDoS tool—because they contained strings like “wikileaks,” “goof,” and “goodnight,” the affidavit notes.

The newly released affidavit was offered in support of a search warrant for the home of an Arlington, Texas couple and their son, who were among the July 19 targets, and have not been charged. The house was the source of 3,678 packets in about two-and-a-half hours starting December 8.